0:03

Hello, Hello, Welcome to Smart Talks with IBM,

0:06

a podcast from Pushkin Industries, iHeart

0:09

Radio and IBM. I'm

0:11

Malcolm Glapwell. This season,

0:13

we're diving back into the world of artificial intelligence,

0:16

but with a focus on the powerful

0:19

concept of open its

0:21

possibilities, implications,

0:23

and misconceptions. We'll look

0:25

at openness from a variety of angles and

0:28

explore how the concept is already reshaping

0:30

industries, ways of doing business

0:33

and our very notion of what's possible.

0:36

On today's episode, I'm joined by Jason

0:38

Kelly, the global Managing Partner for

0:40

IBM Strategic Partners and Ecosystems,

0:43

and by Christy Fredericks, the Senior

0:45

Vice president and Chief Partnership

0:48

Officer at Palo Alto Networks.

0:51

We discussed how their partnership in

0:53

the cybersecurity space helps strengthen

0:56

enterprises by focusing on seamless

0:58

cybersecurity solutions tailored

1:01

to meet the evolving threat landscape.

1:04

By leveraging AI and automation, this

1:06

collaboration aims to modernize security

1:08

programs, improve response times,

1:11

and produce risks. Jason

1:14

and Christie both bring a tremendous

1:16

amount of experience and expertise

1:18

to the subject I think

1:20

you're really going to enjoy this one.

1:34

Jason Christy, Welcome to Smart Talks

1:36

with IBM. Thank you for joining me.

1:38

Thank you.

1:38

It's great to be here.

1:40

We are here to discuss cybersecurity and

1:42

the partnership between IBM and

1:44

Palo Alto Networks. But before we get there,

1:47

I wanted you guys to tell me a little bit about

1:49

yourself. Jason's

1:52

start with you. I see on your resume

1:55

west Point, which makes we

1:57

think there's some interesting things going

1:59

on. How did you get to west Point?

2:02

West Point? West Point was the decision. First,

2:04

it was it was affordable back in the

2:06

day. But I had a sense of service.

2:08

My father was a World War Two vet, so

2:11

I grew up on the weekends watching World War

2:13

two video. You know he's

2:15

army as well. Yeah, and so I

2:18

thought, oh, that'd be exciting, and

2:21

I thought I do some type of service.

2:23

Went there and now I have the biggest

2:25

family, extended family I could ever

2:27

have.

2:27

So it was very exciting.

2:29

Played football lucked out, meaning

2:32

I wasn't recruited.

2:34

I walked on and

2:36

that kept.

2:37

Me there because it gave me something and out left with

2:39

all the other pressures defensive

2:41

back, I was I was great at knocking the

2:43

ball down, not the best at catching it.

2:45

Yeah,

2:47

and then you were a ranger.

2:49

I was.

2:50

I was privileged to be a US Army airborne

2:52

ranger station, but did most of my time

2:54

in northern Italy. We're part of the it's

2:57

eighty second airbarnship post. Oh yeah,

3:00

people say seriously, like, you know, you were,

3:02

you were, you were drinking wine and having

3:04

bred, you know, but it was.

3:07

We're part of a NATO force there at

3:09

the time. Yeah, so exciting.

3:11

How did you get from there to IBM?

3:15

A long path.

3:17

As I came out of the military, I started

3:19

manufacturing retail housing

3:23

and

3:25

did a quick stint, took a leave of absence from

3:27

industry, and did

3:30

a stint of yet again public service

3:33

in the state of Tennessee with economic development,

3:36

and got a whiff of how

3:38

fun it could be to do things around data

3:41

and media. Started a small

3:43

media firm what we would now call a digital

3:45

firm, sold it

3:47

and said I wanted to go do it

3:50

again somewhere, but I wanted to go to

3:52

a big company. And the family at IBM

3:54

brought me in and yet to let

3:56

me go.

3:56

That was how many years ago, two

4:00

decades oh wow, Yeah.

4:01

So I know I look amazingly young on but yes,

4:05

you must have.

4:06

And IBM was my fifth career and and

4:09

and I've enjoyed a since. And that's what

4:11

I what I do.

4:12

They build teams, grow new parts of the

4:14

company and get to work with some of the

4:16

most brilliant people on the face

4:18

of the planet, as well as partners like

4:21

Christy that just keep it exciting.

4:23

Christy, you're I was delighted to learn that you are

4:25

Canadian.

4:25

Yes from here?

4:28

Yeah.

4:29

But you so you were a consultant

4:31

for a long time at Bane.

4:33

Yes. Yeah. I joined Bain Consulting

4:35

intending to spend a couple of years there learn

4:38

the ropes and then go get my first real job. But

4:40

the value personally to my growth

4:42

and development, and then that we were able to bring our

4:44

clients. I ended up there for sixteen years,

4:47

and then post Bain went on

4:49

to another my first product company,

4:51

a new relic, and then it's come full

4:53

circle at Powlta Networks. But at

4:55

Bain it was all about bringing

4:58

expertise across different industries to help our

5:00

clients improve whatever they needed

5:02

to improve and bringing that expertise

5:04

to bear. And then you have the product

5:06

lens and you think, Okay, we're going to build the absolute best

5:08

product to help our customers do

5:10

what they need to get done. And then I joined

5:13

pal Alto about six seven months ago in

5:16

a partnership's role and I'm delighted

5:18

to be able to work with amazing consulting companies

5:20

like IBM where we bring both to bear.

5:23

How long have IBM and Paulo Alto Network's

5:25

been partners?

5:26

So we've been We've been working together for

5:29

quite quite a long time, but we made

5:32

it official, meaning we got married as

5:34

strategic partners last year.

5:36

Oh I see. So what is it that each of

5:38

you bring to the table? What's each

5:40

side special?

5:41

So it's great that you asked that because

5:43

about a decade ago, are now

5:46

CEO Arvin Christ says, you

5:48

know, it wouldn't be great if we just had this

5:50

one focus with this what does IBM do? And

5:52

you have this whole list, and he says, let's

5:54

make it simple. We are a

5:57

multi cloud, hybrid cloud a

5:59

company. And so when you say

6:01

that, it sounds very simple, but then.

6:03

People, what the hell is that? What your

6:06

hybrid cloud?

6:07

Well, both of those two things have

6:09

a lot of data involved and a lot of

6:11

those mean that that data is

6:13

going to sit in multiple places and distributed

6:15

environments. Well, if you're

6:17

able to tie those things together with multiple

6:20

partners, you also have to make sure

6:22

that it's secure because

6:25

in the direction that we're going, where data is

6:28

now being consumed in many different

6:30

places and it is the fuel behind AI

6:32

as we know, then you say, ah,

6:35

well, who does that well and

6:38

who does it in a way that's getting

6:40

rid of seams, the seams that could be across

6:42

multiple products, multiple product

6:44

SATs even And that's where Powell comes

6:46

in.

6:47

I think the conventional

6:49

wisdom and cybersecurity was always you need

6:52

all the new tools, right, you need it every

6:54

threat. It's like, whack them all. Every threat that pops up,

6:56

you get the tool that's purpose built for that specific

6:59

thing. Well, fast forward to you

7:01

know, the RSA conference this year, there were four

7:03

thousand vendors on the floor. You

7:06

look at an average company, there's hundreds of cybersecurity

7:08

tools. It introduces a level

7:11

of complexity that is

7:13

really hard to manage you as a

7:15

user. Query and application,

7:17

right, that query

7:19

can go through a bunch

7:22

of different pings from one cloud to the next.

7:24

It goes into and out of assaas application. It maybe

7:26

running along a network. You may be accessing

7:28

it from your phone, which is an unmanaged device. It's

7:31

got to go in and out. And if you say, okay,

7:33

I've got to secure that phone, I've

7:35

got to secure the network, I've got it. And

7:37

then all of a sudden you've got sort of firewalls, software

7:40

and hardwelfiles popping up everywhere. You've

7:42

got cloud security, and it's you've

7:44

probably heard of this concept of zero trust, which is every

7:46

time you have to check and say are you allowed in here? Are

7:48

you allowed in here? The number of places that

7:51

can fall down it just becomes overwhelming.

7:53

So you end up with either alerts

7:55

firing, you know, every

7:58

two seconds that you have to then go invest again,

8:00

most of which are false positives or

8:03

you miss something right. And

8:05

so that was the conventionalism was we've got to buy all

8:07

these tools, and now you've got overwhelmed

8:09

CIOs and CSOs with hundreds of tools,

8:11

and Palo Alto strategy has been, look, we're

8:14

going to create a platform where everything can

8:16

be stitched together, everything can speak the same language,

8:19

and we can sort of manage

8:22

throughout the architecture and watch, you know,

8:24

this call as as it's passing through

8:27

all these different checkpoints, and

8:29

we can do it in a way that you still have the confidence

8:31

that it's best to breed right, so you're not making any

8:34

trade offs. But it's not so simple just

8:36

to get from the spaghetti to the

8:38

seamless architecture. You need, oftentimes

8:41

to re engineer your business processes. You

8:43

have to re architect your digital environment.

8:46

And so that's where we partner with a company

8:48

like IBM to bring that expertise and

8:50

say we're going to help you not just deploy

8:52

the best cybersecurity architecture, but really get

8:54

your environment ready to have this zero

8:56

testomer.

8:57

As well as all of those players that cross

9:00

at spaghetti. Because when

9:02

you start thinking about all the other partners

9:04

that you work with, if you're you think of an industry

9:06

perspective, you're going to have an ERP. It

9:09

could be an Oracle, it could be an SAP. You're

9:11

not going to have one cloud, as I mentioned, it's gonna be possibly

9:14

multiple clouds. You'll have some AWS

9:16

maybe Microsoft Asure and then even even

9:19

some Google in there, and then your own that you've

9:21

built in your private over there.

9:23

Uh, some an IBM cloud.

9:26

You'll have those multiple clouds, and then you

9:28

also will have you know, fit for purpose.

9:31

Oh I need a I need a salesforce

9:33

in there for my customer focusing.

9:35

I need I'm doing some graphics, so I have Adobe, so I

9:37

just as I can name name name, all

9:40

of those then have to

9:42

be re engineered seriously.

9:44

I mean, come on, Malcolm, You're gonna sit there.

9:46

You think how long that would take. So if

9:49

you haven't done that before,

9:52

you're going to have to go to each one of those individually, or

9:54

you can work with a company that can

9:56

tie those things together, because we are also

9:58

strategic partners with them.

10:00

So that's where you start to say, Okay, I

10:03

see how this comes together. You

10:06

have to make sure that your ecosystem

10:09

is going to be stronger than your competitor's ecosystem,

10:11

and you have to be secure in what you're doing

10:14

because as you add more players or products,

10:16

you create seams, and you want to make

10:18

sure there's fewer seams and

10:20

that there's zero trust across

10:23

that capability you're building. And

10:25

that's why the compliment between the two

10:27

companies.

10:28

We'll take a step back from a moment before we

10:30

sort of launch once get into the specifics

10:33

of what you guys are doing. I'm curious

10:35

at this moment in twenty

10:37

twenty four, how

10:39

nervous should we be

10:42

about cybersecurity? So compared it

10:44

to five years ago or

10:47

ten years ago, are we Are

10:49

you less nervous than you were five years ago or more

10:51

nervous or all of changes going on

10:53

right now increasing vulnerability

10:56

or decreasing it.

10:58

I would say Chris, also,

11:00

I think we share the point of views that it's

11:03

not necessarily being more nervous.

11:05

I think you should be more prepared.

11:08

Yeah, because the amounts

11:10

of threat is increasing

11:13

based on our dependence upon data.

11:16

And that's that's where I

11:18

think the attention should be placed. Is

11:20

that more and more, especially with

11:22

the importance of AI that

11:26

you say, okay, then what's under all that?

11:27

And it's the data?

11:29

As I said, So knowing

11:31

that you should be more concerned.

11:35

Does the advent of AI and it's

11:37

rapid evolution help defense

11:40

more or offense more?

11:41

I think it's I think it's like any mega

11:44

trend that we've witnessed both.

11:47

Right, So you think about AI, it's

11:49

ninety nine percent great

11:52

right in terms of what it's going to unlock for productivity,

11:54

for humanity, But it also makes

11:56

it a whole lot easier to build ransomware.

11:58

It's a whole lot easier to take different ways

12:01

into a system, right. But I think that's

12:03

true if you think about like the rise of the Internet,

12:05

right, all of a sudden, everyone was putting their data online

12:09

and you had to think of new ways to

12:11

stay ahead and keep that secure. And I don't think AI

12:13

is any different. You've got companies

12:15

like Palta, partnerships like Powell and IBM that

12:18

are constantly

12:21

scanning the landscape for not only the current threats,

12:23

but what's next, what's coming around the corner, what's

12:25

after AI? And so I think taking

12:28

it seriously and being prepared is probably the right

12:30

way of looking at it, as opposed to because

12:32

if you think about it too hard, you'll just want to crawl

12:35

into a corner and stuff everything under the mattress.

12:39

I am the CEO

12:42

of a regional

12:45

hospital chain, big distribute

12:47

healthcare system, so

12:50

a ton of data. The consequences

12:52

of being hacked and help for ransom

12:54

are life and death. Life and

12:56

death. When

12:59

you come so you you come down, You sit down

13:01

with me, and you chat with me. Walk

13:04

me through the kinds of things you would tell

13:06

me about what I need to get safer.

13:08

For example, let's start with one. Is

13:11

it likely that I'm spending too little or am I spending

13:13

money in the wrong place?

13:15

Great question, It depends

13:17

how you've broken it out. If

13:19

you are distributing all of your dollars

13:21

across a whole bunch of different tools,

13:24

it's likely you're just spending the wrong money. And

13:26

in fact, you know, putting it all in one place is

13:28

a way of potentially saving money but

13:30

keeping your security actually higher.

13:33

And I'd love to hear Jason, how you would approach

13:35

it. How we would approach it, of course, is by saying, you know

13:37

what, what does your environment look like?

13:40

You know, do you have the connected medical

13:42

devices into your EMR? Are

13:46

your respirators and ventilators all online?

13:48

Right? And so we would talk about, okay, here's how

13:50

you get coverage, and how the coverage

13:53

of both the firewalls as well as the detectors

13:56

all feedback into your security operation center

13:58

and you can manage it and and do your

14:00

learning with AI and keep

14:02

yourself securing.

14:03

So yeah, and I would say Christy and I

14:05

would go to the same point because if you get

14:08

under what she was just asking, it

14:10

is your data on prem

14:13

and when it's on prem, how

14:15

active is it across the

14:17

enterprise? And so that begins

14:19

the basis for the start. And then often you're

14:22

going to say, well, we actually take in data from

14:24

outside and then we also have the

14:27

circumstances. There's a lot of PII and

14:29

so that personal is the

14:31

personal information, right, Yeah,

14:34

And so now you're saying, okay, now

14:36

how are we securing that and where are

14:38

we securing it? And so you have to

14:41

start really thinking about the different

14:43

areas within that hospital

14:46

chain. Are you sharing that amongst

14:48

your hospitals? And now you start

14:50

to think of if I'm

14:52

saying no to a lot of that, it's like, well, then are you

14:54

as efficient as you want to be? So

14:56

there is that trade off of

14:59

you know, am I so tightly walled

15:01

that I'm not productive? And

15:03

so that's where we would start to say,

15:06

what's the outcome that you're trying to get to? All

15:08

Right, maybe you're good, Maybe you're you're good with your

15:10

five locations and you don't need to go

15:13

any further, but maybe you want to expand to fifty

15:15

and by the way, you're going to go crossport or you're going to

15:17

be in Toronto and in New York. Okay,

15:20

well then how do you do that? And

15:22

so I think that it's very easy

15:25

to start jumping into any

15:27

of the typical situations. But

15:30

the first question that you have to ask

15:33

you, as the hospital CEOs,

15:35

what's your objective? What are you

15:38

what are you trying to do? Because too

15:40

often what we see is that there's some

15:42

bright, new, shiny thing that everybody

15:44

wants to put in play. You know, it's

15:46

a sandwich looking for lunch and you go,

15:50

but what is it that you want to do as this Are

15:52

you doing research? Are your research hospital? Are

15:54

you more consumer oriented? So

15:56

those are the questions you start to ask because

15:59

they start to then tell a story in

16:01

line with what Christy questions. And

16:03

I think that that's where the again, the complement

16:06

is that instead of just saying, oh, well, that's

16:09

thanks for telling me all this, Malcolm, here's your

16:11

ten page strategy.

16:13

Go find somebody.

16:15

We have the benefit in IBM,

16:17

and is probably why I'm still there is.

16:19

You know, we're very unique.

16:20

We're the only company on the planet that

16:23

has a consulting business

16:25

at scale inside of a technology

16:27

company, and so we have

16:30

you know, the left brain, right brain, we're able

16:32

to do that, and then we're able to say, okay,

16:34

now which partners are going to be

16:37

most valuable for our clients.

16:39

What's going to work for you?

16:40

Isn't going to work for the manufacturer down the road,

16:43

isn't going to work for the consumer or CpG

16:45

company across the river. Those

16:48

things are very specific. The threats

16:51

and the scenes that I was talking about are

16:53

very specific. So that's where

16:55

it becomes very valuable to make sure that I'm

16:59

not just giving you some strategy

17:01

that's generic.

17:02

But everything as

17:04

a healthcare CEO, everything

17:06

I have done, almost everything I've done

17:09

over the last ten years, hasn't

17:11

it had the effect of increasing my vulnerability.

17:13

I want to digitize data within the hospital

17:16

used to be on pieces of paper. I want

17:18

doctors to go home and to be

17:20

able to seamlessly hook into stuff at work because

17:23

they got to do all their paperwork. I want to make sure the

17:25

diabetes people are speaking to the

17:27

organ transplant people. And so isn't

17:29

that everything I have done to kind of

17:32

keep up with the revolution in healthcare?

17:34

Isn't that also making me more and more vulnerable

17:37

to a bad actor.

17:38

It's such a great question because think about the quality

17:41

of healthcare delivery.

17:41

Right.

17:42

So now doctors aren't filling out forms,

17:44

they're spending time with patients, and so

17:46

the quality of care is improving and the vulnerability

17:49

is improving, right, And so I think that's

17:51

where having a strong cybersecurity

17:53

strategy actually enables

17:55

all of that. One of our products is our sas

17:57

product, and we tested it with some business application

18:00

and oftentimes the wrap is, oh, security

18:02

is going to slow you down, like you have to add a firewall,

18:04

you have to checkpoints. Our product actually

18:07

increases the velocity of your

18:09

ability to use that application because of the way

18:11

that it is queried through our system

18:14

as opposed to just through the regular network.

18:16

So it doesn't slow it down and in fact, it makes it run

18:19

more efficiently. That's just one

18:22

minor example. But back to the healthcare

18:24

question. I, as a patient

18:26

want my doctors accessing all the technology and talking

18:28

to each other and connecting the dots behind the scenes.

18:31

I also want my data to stay private, and

18:33

so having both a consulting

18:36

partner who understands how

18:38

to ask questions of the environment and of the applications

18:41

you're using, and who understands the industry

18:43

inside and out, and a technology partner

18:45

that builds and stays ahead of all of the

18:47

different threats come together and advise

18:49

you. I think is super important. When

18:52

you bring in a partner like IBM,

18:55

with a platform like Palalta that covers

18:58

all the different parts of your environment,

19:02

you're able to say, look, where where

19:04

are the vulnerabilities in the system, Where

19:06

are the different endpoints that we

19:08

need to have covered, and then just make sure you get

19:10

that breadth of coverage, and then

19:12

you're better able to so, yes, you've increased

19:14

the risk, but then you've mitigated it.

19:17

So to give so before

19:19

I retire my healthcare analogy,

19:21

because I was thinking about just trying to understand

19:25

the importance of this idea of having

19:27

a single platform.

19:29

So if this mudtal healthcare network

19:32

is typical, I've acquired a whole series

19:34

of over the last ten years. I bought a hospital

19:36

over here, some I got some physicians,

19:38

things that I snapped up over here about

19:41

a diagnostics company, and so

19:43

I have all of these legacy systems

19:45

and I had, like you said, maybe I got some

19:47

stuff in the cloud with one company, some stuff

19:49

with the cloud. And what you're saying is the

19:52

first step is to kind of rationalize

19:55

that put it on a single platform, so you

19:57

understand where your points of weakness

19:59

are as opposed to being blind to your points

20:02

of weakness.

20:04

There's yes,

20:06

although anyone who's done any

20:08

kind of M and A knows that that's a long

20:11

journey, right. So I think the first

20:13

step is just understanding where everything

20:15

is. And then you get on a path and you say,

20:17

where's the biggest risk. Let's let's neutralize

20:19

or mitigate that risk one at a time. The

20:22

thing about open end secure, you

20:24

know Palo Alto. We keep touting the benefits

20:27

of the platform. Everything on Palo Alto,

20:29

your risk is going to be mitigated and you're going to have the full visibility.

20:32

But you can't get there overnight. And

20:35

so we've got you know, thousands of integrations

20:37

with other technology companies, including our

20:39

partners, to make sure that we can capture

20:42

and have visibility into those those

20:44

endpoints in those systems as well. And

20:46

so I think step one is just figure out

20:48

where everything is. Just get the scan. So Polta

20:50

has a couple of products where you can kind of deploy

20:52

and get a view of your attack surface. I

20:55

love the analogy. Just like a digital

20:57

environment is a house, right and so like you have your front

21:00

lock, of course, because probably they're going to try

21:02

the front door first. But that's not

21:04

all you're going to do, right, You're going to make sure the whole you

21:06

know, the windows are locked and there's an alarm system

21:08

and all of that. And I

21:11

think that's how you have to think about it, is just how

21:13

do we cover the whole service?

21:15

So everyone laid, people like me have

21:17

been bombarded over it seems like over

21:19

the last year with one

21:21

thing another about how quickly AI

21:24

is moving forward and how big of a deal it is

21:26

suddenly is going to be in the economy. What

21:28

is the impact of

21:31

that dramatic change

21:33

in AI's capabilities on this

21:36

cybersecurity question? So what does

21:38

it mean if you're defending somebody that you

21:40

now have these sophisticated AI tools you

21:42

just suppose.

21:44

I think that AI becomes the force multiplier

21:47

for cyber To

21:50

think about cyber Before

21:52

it was just locking your doors, locking

21:55

the windows, and if you were

21:57

really good, you had an alarm system. You

21:59

know, Now

22:02

with AI, you can say,

22:04

well, I can predict what's

22:06

going to happen, I can see around the corner.

22:08

I know, I can leave my windows open upstairs,

22:10

and it's fine and it's okay.

22:12

I mean because why because the AI is

22:14

running a million simulations.

22:17

It can And that's exactly it.

22:19

It becomes the intelligent

22:21

part of that AI. It's not

22:23

artificial, it's augmented. So you now

22:25

have this new capability to see around

22:27

corners and so you're able

22:30

to do the jobs of yesterday more

22:32

effectively.

22:34

And the.

22:36

Queries that you were doing and that's all you're really

22:38

doing, now you're doing them, you know, faster,

22:41

You're able to access even more data

22:44

and you're able to then make

22:47

it more secure. So that's why AI

22:50

becomes a force multiplier.

22:51

Yeah, and just talk about

22:53

the faster part. What does faster

22:56

mean in practical terms? If

22:58

you're trying to defend an enterprise against a cyber

23:00

attack, what does speed matter in that environment?

23:03

You're always trying to find a place

23:06

through I go back to you. We brought

23:08

up the army. You always how do you break the line?

23:10

How do you find a penetration point? And

23:12

when you think about you know, pin testing,

23:15

penetration testing.

23:16

Where are those?

23:18

So if you're able to do that faster than the bad

23:20

guys, and not only faster, but you're

23:22

picking more probable points.

23:24

This is back to the intelligence.

23:26

I could waste time doing penetration

23:28

testing someplace where. That's why I mentioned leave. If

23:31

they can't get in the second story windows,

23:33

why are you spending time trying it? So

23:36

that becomes more effective. So

23:38

that's when I think of speed. That's what I

23:41

think of because with not just speed,

23:43

I think it's also what's effective.

23:45

Just to put a put a fine point on it. So I found

23:47

a way in. Okay, Now what I don't know where

23:49

the jewelry is, so I have to look around and see if

23:51

there's any hidden gems and

23:53

try to find my way. That used to take a week,

23:55

two weeks, or of seven to fourteen days. Now

23:58

it's hours right so there in

24:00

and they can actually expltrate data within less

24:02

than a day. The metric

24:04

we use in the security operation center is meantime

24:07

to detect, so to see anyone's there, meantime

24:10

to respond and remediate to get them out right.

24:12

That used to be also you

24:14

know, seven eight, nine, ten days. Now

24:18

it needs to be less than an hour. And

24:20

with our AI based security

24:22

operations platform, it is. Now

24:25

you've got one tool that whether it's

24:27

all peloton networks or whether it's just you know,

24:29

hoofringing data from other places and you're able

24:31

to see it all together, so you actually get fewer alerts.

24:33

So you get from thousands of alerts

24:35

down to one hundred alerts,

24:37

right, and you can investigate them and you investigate them using

24:40

AI too. And AI is today

24:42

it's today's threat, but it's you know, you think about

24:45

threat and opportunity to think about what's next. You

24:47

always have to be kind of evolving and you have

24:49

to think.

24:50

We talk about threat and risk, and you know, we

24:52

didn't tell you know, what is the cost of

24:55

cyber some type of penetration.

24:57

It's typical cost is for four

25:00

and a half million dollars and

25:02

that's just in labor

25:05

and remediation. If you think

25:07

about reputational risk

25:09

as well, our Institute for Business

25:11

Value to the study and found it in twenty

25:14

twenty three and they were thirty nine banks that

25:16

we watched that suffered

25:19

a reputational risk market

25:21

value of one hundred and thirty billion dollars.

25:24

And so you start to think, wow, that's just

25:27

reputational risk. So

25:29

that's what's at stake here, and it's

25:31

only that is only going to get bigger.

25:34

So one of the piece we haven't talked

25:36

about about AI that I find super interesting

25:38

because we've been talking essentially about like

25:41

the terminator, the robots fighting robots, right, Like

25:43

whose robots are quicker? Like I'm designing

25:45

at tax and I'm defending against tax, and I think that's

25:48

that's super important. But we

25:51

recently launch and our working at IBM on our

25:53

AI security product to actually secure the use

25:55

of AILA because it also opens up another set of

25:57

threat factors. I'll give you an

25:59

exampimple. I'm a marketing

26:02

executive now for your hospital. So I work

26:04

for you, and you want to announce

26:06

the launch of a new center,

26:09

and so I upload all the information about

26:11

all the patients and our you know how we do

26:13

things into chat GPT to write the PR for me.

26:15

Well, I've also just uploaded to chat GPT a whole

26:17

bunch of secrets, right. So

26:20

it's it's how employees are using AI, because

26:22

I think, you know, some companies are sort of building

26:24

their own language models and their own AI applications

26:27

that they want to keep secure. Others are

26:29

just curious about how their employees are using AI

26:31

applications on the shelf. And

26:33

so we announced in May a product where you can

26:35

actually scan and see

26:37

how AI is being used in your enterprise

26:40

and within We made the announcement with the

26:42

GA was last month, but we made the announcement in May,

26:44

and we had immediately thousands of CIOs

26:47

signing up because just understanding you

26:49

know who's using what it's another open

26:51

question because you know, we talk about AI

26:53

enhancing productivity and all the benefits it's going to

26:55

bring, but it brings it brings risks, not just

26:58

in how it's being used by the threat actors,

27:00

but also you know what other vulnerabilities

27:03

That.

27:03

Excise is the eye that you does

27:06

that system tell you what's a problematic

27:08

use?

27:09

It does, so what what it does, and

27:11

you've got to train it right. But what it does is say

27:13

this is this is outside of your policy. So

27:16

CIOs will set policies on here's what

27:18

is acceptable and not acceptable use. So we'll be able

27:20

to scan and say these these falling uses are outside

27:22

of policy, and then it'll punt and say I

27:24

think this is too restrictive, I think this is too permissive,

27:27

and then you can sort of update your policies from there. That's

27:30

just sort of the visibility piece, and then there's the

27:33

run time piece, which will actually stop you from using

27:35

it. So you go and say, Okay, here's all my patient's

27:37

social security numbers. I'm going to upload them to chat

27:39

GPT to you know, get

27:41

an understanding of like where they all live. I

27:43

don't know what why you would possibly do

27:45

that, but let's say you were, and then you know,

27:48

it'll note that looks like a social security number. You can't

27:50

upload that into your prompt, so it.

27:51

Will stop before you Yeah,

27:54

thoughtful voice

27:56

over your shoulder, just to remind

27:58

you not to do something silly exactly.

28:01

But this is just.

28:02

Talk a little bit more about adding AI

28:04

into this mix. You say it's

28:06

a force multiplier. It's a really interesting

28:09

dig into that. What other instances

28:11

of what that means?

28:13

Well?

28:13

How does the balance between AI

28:16

and human expertise

28:19

work in the kind of next generation of cybersecurity?

28:23

I think the.

28:25

Common way to look at as it

28:27

back to the force multipliers, It's

28:30

not going to be is your AI better?

28:32

But can you use it better? Can you ask

28:35

your AI the right questions?

28:37

Are you well trained? So the competition really

28:39

becomes your use of AI? And

28:42

are you pointed it in the right direction?

28:45

You have fifty people can they

28:47

do the work of two hundred and fifty,

28:50

and can they do it in a safe and secure manner,

28:53

So you're not opening up more risk

28:55

based on or too much risk is your risk

28:58

tolerance in order to get the outcome. So

29:00

that's why I think there's the opportunity.

29:02

And so you see this truly

29:05

as a force multiplier because the first thing people

29:07

go, oh, you're going to get rid of people, Oh,

29:09

the people portion is still still

29:12

going to be just as important because they're doing

29:15

that other piece of work.

29:16

One of my favorite statistics is that there are now

29:18

more bank tellers in the US than there were

29:20

in nineteen sixty before the ATM

29:22

was invented. Right, So, but it used to be you would

29:25

go to your bank because you had to. I

29:27

remember doing this. You go, you fill out your deposit

29:29

slip, you hand it to the teller and they give you

29:31

your cash. And then ATMs are invented,

29:33

and it's like, oh, no, what's going to happen all these jobs and now

29:36

there's more, Right, but you're not

29:38

withdrawing money from a bank teller.

29:40

You're now doing more sophisticated transactions. And

29:42

so I think it's similar with AI,

29:44

Right, Like you want people doing things that only

29:46

people can do.

29:47

The human element remains absolutely central

29:50

in all of this. How

29:52

do you make sure that

29:54

your cybersecurity folks are

29:57

equipped to handle high value tasks, are

29:59

ready for the this increasing responsibility.

30:02

There's a couple of ways to answer this, but I think

30:05

the more you're able to automate the

30:08

routine and the mundane tasks. For example,

30:11

the bulk of cybersecurity happens

30:13

in the security operations center. There's analysts

30:16

who are sitting in that center. If they're spending all day

30:18

either configuring alerts

30:21

or responding to alerts, they're not able to do

30:23

the advanced sort of threat hunting and analysis

30:26

work. And so I think a big chunk of it is just

30:28

freeing up their time to be able to

30:30

do the more advanced strategic work.

30:32

And a lot of the automation tools based on AI, like

30:35

our cortex XIM product, is

30:38

it's designed to free up their time in order

30:40

to be able.

30:41

To do that, And from

30:43

our perspective, is making sure that it's a

30:45

requirement to make sure that you have

30:48

the qualifications because people can easily get

30:50

used to.

30:51

Doing what they've always done.

30:52

I know this, and that's what I do

30:55

you say, well, now, all

30:57

the threat actors are learning on

30:59

the fly. They're trying to always outsmart you. So

31:02

it's in your best interest, our best

31:04

interest, our client's best and partners best

31:06

that you are on the front leaning

31:09

edge of that learning capability.

31:11

If you're talking to a client he wants to develop a

31:13

kind of unified cybersecurity

31:16

strategy, what's the best single

31:19

piece of advice you can give them?

31:22

You should have a single platform. It's

31:26

hard not to answer that, but it is true.

31:28

I mean all joking aside having you

31:31

know the best of breed solutions that are

31:33

all talking to each other and able to stitch together

31:36

and identify threats before human might be able

31:38

to. That's number one, and number

31:40

two is making sure you have visibility

31:42

on all elements so you're

31:44

able to cover your whole environment and understand

31:46

how people are accessing it.

31:48

I'd say, think like a bad actor.

31:50

Yeah, always think outside

31:52

in because you get comfortable the

31:55

other way around.

31:57

You guys work together with a Push

31:59

and five company, and I'd

32:02

love for you to talk a little bit about use that as a kind

32:04

of case study for what this collaboration

32:07

between the two your two companies

32:09

looks like. When you work with

32:11

a cloud.

32:12

It really was you know, IBM leading on

32:15

a digital transformation for this

32:17

client that wanted to move their applications into the cloud.

32:19

And so you're asking a lot of questions about how does AI

32:22

increase the risk and the surface area.

32:24

Those same questions ten years ago were asked about

32:26

the cloud, and we're still on the journey where

32:28

where companies are migrating into the cloud.

32:30

We're not anywhere near finished that yet.

32:32

And so there's two pieces to a cloud migration. One

32:34

is just refactoring for the cloud to make sure the application

32:36

works effectively in the cloud. And the second

32:39

is security. And then you built in security by

32:41

design using poll does prison

32:43

of cloud products to make sure that not only did

32:45

you have the visibility so our cloud product

32:47

you can scan and see where the vulnerabilities are. And

32:50

then there's also you know cloud firewalls

32:53

essentially that will keep bad actors

32:55

out and keep the cloud instance

32:57

secure.

32:59

If we sit down, I don't have this conversation five

33:01

years from now, which I actually hope we do.

33:04

Be fun.

33:07

This pretend is twenty twenty nine. Tell

33:09

me what are you happy about in twenty twenty nine.

33:12

I think twenty twenty nine, quantum computing

33:15

is mainstream. I

33:17

think quantum computing is

33:21

now quantum safe, where we're

33:23

using quantum computing

33:25

to make sure that those bad

33:27

actors aren't as bad as

33:29

they used to be back in twenty twenty

33:31

four, and we're seeing

33:33

around the corners and that

33:35

we're empowering our palo

33:38

Alto relationship. That

33:40

in twenty twenty nine is

33:42

the premiere type of capability

33:45

that people are looking at when they

33:47

think of what used to be AI

33:49

and now is quantum capability.

33:51

Yeah, yeah, I

33:54

think for AI, everyone's

33:56

just using it as part of their job. The way email

33:59

was an innovation in the nineties, the way you

34:01

know cloud was an innovation in the twenty

34:03

tens, and we thought, how are we going to use

34:05

this? What impact is it going to have on productivity?

34:08

All these people who are spending their days typing up memos,

34:10

like what are they going to do? We're going to be past that

34:13

fear and we're all going to understand that

34:16

it is this like truly positive force

34:18

multiplier. For you know, every employee

34:20

is able to do their best work

34:22

and spend their time

34:25

on the things that only they can do, and then the

34:27

AI is doing the rest of that for them.

34:29

Right, AI, it's fun to

34:31

enable many things to work

34:33

together, and it won't be just one language

34:36

model.

34:36

We won't even think about.

34:37

It will be the difference between

34:40

you know, Malcolm having a fax

34:42

machine, stereo and a telephone

34:45

and a memo board. Now it's in

34:47

your pocket and it's all one thing and

34:50

you don't even call that, you know. I said, walk them into

34:52

my kids the other day and they're like, what's a walk man? So

34:56

I do think it will. It'll be part

34:58

of the past, and it will be the stock of the

35:01

seamless connection. That is, secure

35:03

seamless connection, of HR,

35:06

of finance, of distribution,

35:08

logistics, of billing, all.

35:10

Of those will have a capability

35:12

to work together. Yeah.

35:15

I have to do some social quick fire questions.

35:18

You guys ready, all right? What's

35:21

the number one thing that people misunderstand about

35:23

AI?

35:24

The reliance on data? What

35:27

do you mean by that?

35:28

I think that it's just assumed that it's happening

35:31

and it can just go out and grab data

35:33

anywhere.

35:35

Yeah, you have.

35:36

To have good data, reliable data,

35:38

and access to the data.

35:40

I think people are too afraid of it.

35:42

Checkbox and image generators are the biggest

35:45

things in consumer AI right now? What do you think

35:47

is that next big business application?

35:49

Jason, I think it's the tying together

35:51

of multiple capabilities. I'm hinting

35:53

towards this earlier is. I think tying

35:55

together the disparate systems

35:58

that sit in different parts of the organization, front all this

36:00

back office, making it one office and tying

36:02

together those different functions.

36:03

That's it.

36:05

I mean, it's workflow automation. I think back

36:07

to your point on the reliance on data

36:09

seems easy. It's a lot harder than you think because

36:11

you have to have everything set up and exactly the right way to

36:13

get all of your systems automated and the

36:16

sort of the more boring jobs taken care of

36:18

so that humans could do the strategic ones.

36:22

How are you already using AI in

36:24

your day to day life?

36:27

I mean I use it at

36:29

work all the time, and then I've

36:31

found right now I go to chat, GPT instead

36:33

of Google to look things up. I like

36:36

having a conversation.

36:38

We have a wonderful capability

36:40

in our consulting business called our

36:43

consulting assistant and consulting

36:45

advantage is the proper name for it, but I look

36:47

at it as.

36:48

That assistant and it's a force multiplier

36:51

for me.

36:51

So if I need to pull

36:53

together content proposals

36:55

with the teams, we go straight to that.

36:58

We are one more we Here's so many definitions

37:00

of open related to technology. How

37:03

do you define it and how does the concept

37:05

help you innovate?

37:07

By definition? In cybersecurity,

37:09

you don't want to be too open, right, So I think

37:12

we enable openness with

37:14

this concept of zero trust and saying like everyone's

37:17

invited in as long as you have the right credentials, right.

37:19

So that's that's one way, and then the other way

37:21

is just making sure you're connected to all

37:24

the different systems in order to

37:26

be able to have that visibility and see what's happening,

37:28

because if you are blind, that's

37:31

the minute you have that vulnerability.

37:33

And I'd say it's moving

37:36

quickly with security,

37:39

it sounds contradictory open.

37:41

Oh then it means you're not safe. No, you are safe

37:43

and you can move faster.

37:44

Yeah, thank you so much.

37:45

It's fun.

37:46

Thanks a lot, Thank you great. We'll see you in five years.

37:49

Five years, man,

37:52

I'll be old in five years. Thank

37:55

you to Jason Kelly at IBM and

37:57

Christy Frederick's at Polo Alto

38:00

networks for that fascinating conversation

38:03

about the threats and opportunities in cybersecurity

38:06

today. As

38:08

Jason and Christie stressed, AI can

38:10

be a force multiplier for enterprise

38:13

across industries. When

38:15

you're working with multiple products and have your data

38:18

in distributed environments, you

38:20

need technology that will work across

38:22

your organization, and with Palo

38:24

Alto Networks platform, you

38:26

can enhance cyber resiliency

38:29

and simplify your operations.

38:32

Through their collaboration, IBM and

38:34

Palobalto Networks are charting the

38:36

future a fully integrated open

38:39

end to end security solutions.

38:43

Smart Talks with IBM is produced by Matt

38:45

Romano, Joey Fishground, Amy

38:48

Gaines McQuaid, and Jacob Goldstein.

38:51

We're edited by Lydia Jane Kott.

38:53

Our engineers are Sarah Bugaier and

38:55

Ben Tolliday. Theme song by Gramoscope

38:58

Special thanks to the eight Bar and IBM

39:00

teams, as well as the Pushkin Marketing

39:03

team. Smart Talks with IBM

39:05

is a production of Pushkin Industries and Ruby

39:07

Studio at iHeartMedia. To

39:09

find more Pushkin podcasts, listen

39:12

on the iHeartRadio app, Apple Podcasts,

39:14

or wherever you listen to podcasts. I'm

39:17

Malcolm Glapham. This

39:20

is a paid advertisement from IBM.

39:22

The conversations on this podcast don't

39:25

necessarily represent IBM's positions,

39:28

strategies or opinions.